Q&A: How Attestation Enhances Security and Eases Compliance

Although security chores fall to IT, the best experts about who should be accessing what data relies on the knowledge of an enterprises' data experts -- the business users themselves.

To understand how attestation can help ensure the right people have access to the data they need while simplifying compliance audits, we spoke with Bob Bobel, platform director, product management.at Quest Software.

Enterprise Systems: In general, people do not know what attestation means. What is the broadly accepted definition?

Bob Bobel: The word attestation is almost always used to describe that an individual has confirmed or witnessed the truthfulness to some claim or assertion. Often this takes the form of signature or digital signature on a legal document or statement. In a broader sense, attestation is about the assignment of responsibility for actions with the ultimate goal to hold the person accountable for those actions.

What does a typical attestation process look like in an organization? Who is involved in the process?

Companies that are under legal or regulatory requirements often have employees sign an attestation document verifying that they are in compliance with a particular requirement. As far as IT is concerned, these requirements clearly affect data access management and always dictate that the data owner controls access to their data. The reasoning is that the data owner understands the business justifications for granting others in the organization access to the data. The data owner is also the person who is in the best position to understand the implications of granting such access.

Although IT is not usually in a position to understand business justifications or implications behind access grants, they are an equal stakeholder in the process for two reasons. First, IT is responsible for the support and operation of the systems that store and provide physical access to the data. Second, IT is responsible for implementing the software that logically controls data access; the piece that auditors are most likely to scrutinize from a security or compliance perspective.

What is the purpose of having the business validate, through an attestation process, that access has been given?

Attestation is about assigning business accountability and IT oversight. All too often an auditor will stumble over security or compliance-sensitive data and immediately ask IT who owns the data and why the people with access have that access. IT departments that have not implemented access attestation software will typically start trying to run reports and making phone calls trying to answer the auditor's "who" and "why" questions; the complexity here may result in an answer that comes days or weeks later.

Implementing an attestation process should always be done in conjunction with an overall access management solution. Such a solution would not only provide for a periodic attestation review capability, it would also provide a business-friendly interface for application or data owners to manage access as well as provide visibility, transparency, and oversight to the IT staff and auditors.

How does attestation help sustain compliance through access accountability?

Good attestation software will enable IT to answer an auditor's questions about why access decisions were made to the data owner who made the decisions. By allowing IT to refer the auditor to the accountable person the burden of compliance is placed on the data owner where it should be. Good attestation software will also provide a historical report showing where the data owner granted/revoked access as well as when they completed attestation reviews.

Over time, access will change and periodic attestation reviews are usually conducted. These reviews should be completed quarterly or yearly. This ensures the business treats security and compliance as ongoing requirements rather than one-time events resulting in better security and sustained compliance.

What are remediation techniques for failed attestation?

There are remediation techniques that can be used to enforce that attestation reviews are completed. Remediation actions should be implemented with due consideration given to the operational sensitivity of the application or data. Automatic revocation of access to an e-mail distribution list may be acceptable, while revocation of access to apps or data that is critical to the organizations operations, such as a point-of-sale system, may not be. Both are valid remediation techniques, but they must be employed within a business context.

How does the attestation process fit into a larger self-service story?

Although attestation makes application or data owner accountable for the access to their resource, there is a larger opportunity to streamline access management. For example, empowering end users to make access requests directly to resource owner to avoid expensive help desk calls may reduce costs. Presenting an end-user access request to the data owner with simple Allow or Deny buttons may make the access approval process easy and fast to reduce the time it takes for users to gain access to critical resources.

What are the biggest mistakes IT/the enterprise makes in implementing an attestation process?

Many organizations attempt to implement a manual attestation process involving collecting data and circulating reports that must then get a manual signature and returned. Because manual attestation is very inefficient, only a small number of groups/roles can be covered before the process becomes unmanageable. The result could be a lack of coverage and ultimately a failure to sustain compliance.

What best practices can you recommend to avoid these problems?

Automated software attestation provides efficient oversight and the necessary compliance controls. It can also help make the entire environment more efficient and easier to manage. For example, you may require quarterly attestation for compliance- or security-sensitive groups to make the auditors happy, but you could also require yearly attestation for e-mail distribution lists to determine which groups are still required by the business.

Rarely does someone leave an organization and notify IT that their distribution lists are no longer needed. Without a required period review, there is no good way to know which groups are still needed and which groups can be deprovisoned to reduce the number of items to manage. Fewer groups means faster searches and less chance for security or compliance breaches.

What products does Quest offer for attestation?

Quest's ActiveRoles Server with the add-on ActiveRoles Self-Service Manager provides automated attestation capabilities for sustained compliance. The Self-Service module also provides self-service group management for application and data owners, enforces IT policies that require an owner periodically perform attestation, and self-service access request capability to allow the users to request access to resources through business workflow.